HCCA CHPC Study Guide Practice Questions
and Answers (A+ Score)
• Subparts of HIPAA part 164 -✓✓Subpart A - General rules; Subpart C - Security;
Subpart D - Breach notification; Subpart E - Privacy.
• Covered Entity Determination -✓✓1. Compare if the organization meets one of the 3
types of CE (provider, health plan, clearinghouse) and 2. Determine if the organization
electronically transmits one of the 9 defined transactions.
• Defined Transactions -✓✓Health claims or equivalent encounter information; Health
claims attachments; Enrollment and disenrollment in a health plan; Eligibility for a health
plan; Health care payment and remittance advice; Health plan premium payments; First
report of injury; Health claim status; Referral certification and authorization.
• Business Associates -✓✓Business associates of covered entities must follow parts of
the HIPAA regulations.
• Privacy Act of 1974 -✓✓Established restrictions on how government agencies can
share information maintained in Federal systems of records that might infringe on an
individual's privacy rights.
• HIPAA Entity Designation -✓✓Not considered a HIPAA Entity Designation: Contract
arrangement with FEDEX carrier.
• Gramm-Leach-Bliley Act (GLBA) -✓✓Also known as the Financial Services
Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requiring all financial institutions to protect customer's personal financial
information.
• OHCA -✓✓Organized Health Care Arrangement, a clinically integrated care setting
where individuals receive health care from more than one provider.
• ACE -✓✓Affiliated Covered Entity, legally separate covered entities that share
common control/ownership and designate themselves as a single CE for the purpose of
complying with the HIPAA Privacy standards.
• ACE Example -✓✓A health system composed of several affiliated hospitals.
• Hybrid Entity -✓✓Entity that conducts both covered functions (healthcare functions)
and non-covered functions (other biz/non-healthcare functions) to elect to be a 'hybrid
entity.'
,• Hybrid Entity Example -✓✓A University System that has a research laboratory or
academic medical center.
• HIPAA -✓✓Health Insurance Portability and Accountability Act, which provides
standards for the access, disclosure, transmission, and retention of PHI.
• PHI -✓✓Protected Health Information, which is any information that can be used to
identify an individual and relates to their health status, provision of health care, or
payment for health care.
• Transaction (healthcare transaction) -✓✓The transmission of information between two
parties to carry out financial or administrative activities related to health care.
• Examples of healthcare transactions -✓✓Healthcare claims, coordination of benefits,
health plan premium payments, remittance advice (or ETF, electronic fund transfer),
referral certification and authorization.
• BA (Business Associate) -✓✓Performs functions or activities on behalf of a covered
entity that involve access by the business associate to protected health information.
• Examples of Business Associate functions -✓✓Claims processing, data analysis,
billing, benefit management, quality assurance, quality improvement, practice
management, legal, actuarial, accounting, accreditation, and other administrative
services.
• Business Associate contract requirement -✓✓A hospital is not required to have a
business associate contract with the specialist to whom it refers a patient and transmits
the patient's medical chart for treatment purposes.
• TPO -✓✓Treatment, Payment, and Operations; use and disclosure of PHI for these
purposes requires no specific authorization.
• HITECH -✓✓Health Information Technology for Economic and Clinical Health Act,
which made business associates directly responsible for HIPAA compliance.
• Deemed status of business associates -✓✓Contracted vendors or individuals
performing services related to handling PHI are classified as business associates by
law, regardless of their awareness of this status.
• Subcontractor as a Business Associate -✓✓A subcontractor that creates, receives,
maintains, or transmits PHI on behalf of a business associate is also considered a
business associate.
, • Business associate agreement -✓✓Obligation under HIPAA and HITECH for
individuals or entities identified as business associates to enter into a business
associate agreement with their contracted covered entities.
• Exceptions to business associate agreement mandate -✓✓For purposes of TPO,
determining health plan eligibility and enrollment, and when there is no involvement of
use/disclosure of PHI.
• Authorization to use/disclose PHI -✓✓A covered entity requires authorization to
use/disclose PHI for sales and marketing and psychotherapy notes.
• Determining HIPAA applicability -✓✓Entities that transmit health information and fall
under the three types of covered entities: health plans, clearinghouses, and providers.
• National baseline for health information -✓✓HIPAA created a national baseline for
health information Privacy and Security.
• HIPAA preemption -✓✓The ability of state laws to develop health information statutes
that are higher or more restrictive than Federal HIPAA rules.
• Intent of HIPAA -✓✓To improve healthcare programs and data flow between providers
to data mine for fraudulent behavior.
• Transaction & Code Set Rules -✓✓Outlined in 45 CFR 162.100 - 162.1902, these
rules specify the data flows for healthcare transactions.
• Protected Health Information (PHI) -✓✓Information that is protected under HIPAA
regulations, which can be used or disclosed for treatment, payment, and operations
without specific authorization.
• Business Associate Contract -✓✓A contract required between a physician and a
laboratory for disclosing protected health information for treatment.
• Research use/disclosure with individual authorization -✓✓Authorization that does not
expire or continue until the end of the research study.
• Combination of authorizations -✓✓Research use/disclosure with individual
authorization may be combined with an authorization for a different research activity if
treatment is conditioned on it.
• Legal permission or consent in research -✓✓Research use/disclosure with individual
authorization may be combined with other legal permissions or consents to participate
in the research.
and Answers (A+ Score)
• Subparts of HIPAA part 164 -✓✓Subpart A - General rules; Subpart C - Security;
Subpart D - Breach notification; Subpart E - Privacy.
• Covered Entity Determination -✓✓1. Compare if the organization meets one of the 3
types of CE (provider, health plan, clearinghouse) and 2. Determine if the organization
electronically transmits one of the 9 defined transactions.
• Defined Transactions -✓✓Health claims or equivalent encounter information; Health
claims attachments; Enrollment and disenrollment in a health plan; Eligibility for a health
plan; Health care payment and remittance advice; Health plan premium payments; First
report of injury; Health claim status; Referral certification and authorization.
• Business Associates -✓✓Business associates of covered entities must follow parts of
the HIPAA regulations.
• Privacy Act of 1974 -✓✓Established restrictions on how government agencies can
share information maintained in Federal systems of records that might infringe on an
individual's privacy rights.
• HIPAA Entity Designation -✓✓Not considered a HIPAA Entity Designation: Contract
arrangement with FEDEX carrier.
• Gramm-Leach-Bliley Act (GLBA) -✓✓Also known as the Financial Services
Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requiring all financial institutions to protect customer's personal financial
information.
• OHCA -✓✓Organized Health Care Arrangement, a clinically integrated care setting
where individuals receive health care from more than one provider.
• ACE -✓✓Affiliated Covered Entity, legally separate covered entities that share
common control/ownership and designate themselves as a single CE for the purpose of
complying with the HIPAA Privacy standards.
• ACE Example -✓✓A health system composed of several affiliated hospitals.
• Hybrid Entity -✓✓Entity that conducts both covered functions (healthcare functions)
and non-covered functions (other biz/non-healthcare functions) to elect to be a 'hybrid
entity.'
,• Hybrid Entity Example -✓✓A University System that has a research laboratory or
academic medical center.
• HIPAA -✓✓Health Insurance Portability and Accountability Act, which provides
standards for the access, disclosure, transmission, and retention of PHI.
• PHI -✓✓Protected Health Information, which is any information that can be used to
identify an individual and relates to their health status, provision of health care, or
payment for health care.
• Transaction (healthcare transaction) -✓✓The transmission of information between two
parties to carry out financial or administrative activities related to health care.
• Examples of healthcare transactions -✓✓Healthcare claims, coordination of benefits,
health plan premium payments, remittance advice (or ETF, electronic fund transfer),
referral certification and authorization.
• BA (Business Associate) -✓✓Performs functions or activities on behalf of a covered
entity that involve access by the business associate to protected health information.
• Examples of Business Associate functions -✓✓Claims processing, data analysis,
billing, benefit management, quality assurance, quality improvement, practice
management, legal, actuarial, accounting, accreditation, and other administrative
services.
• Business Associate contract requirement -✓✓A hospital is not required to have a
business associate contract with the specialist to whom it refers a patient and transmits
the patient's medical chart for treatment purposes.
• TPO -✓✓Treatment, Payment, and Operations; use and disclosure of PHI for these
purposes requires no specific authorization.
• HITECH -✓✓Health Information Technology for Economic and Clinical Health Act,
which made business associates directly responsible for HIPAA compliance.
• Deemed status of business associates -✓✓Contracted vendors or individuals
performing services related to handling PHI are classified as business associates by
law, regardless of their awareness of this status.
• Subcontractor as a Business Associate -✓✓A subcontractor that creates, receives,
maintains, or transmits PHI on behalf of a business associate is also considered a
business associate.
, • Business associate agreement -✓✓Obligation under HIPAA and HITECH for
individuals or entities identified as business associates to enter into a business
associate agreement with their contracted covered entities.
• Exceptions to business associate agreement mandate -✓✓For purposes of TPO,
determining health plan eligibility and enrollment, and when there is no involvement of
use/disclosure of PHI.
• Authorization to use/disclose PHI -✓✓A covered entity requires authorization to
use/disclose PHI for sales and marketing and psychotherapy notes.
• Determining HIPAA applicability -✓✓Entities that transmit health information and fall
under the three types of covered entities: health plans, clearinghouses, and providers.
• National baseline for health information -✓✓HIPAA created a national baseline for
health information Privacy and Security.
• HIPAA preemption -✓✓The ability of state laws to develop health information statutes
that are higher or more restrictive than Federal HIPAA rules.
• Intent of HIPAA -✓✓To improve healthcare programs and data flow between providers
to data mine for fraudulent behavior.
• Transaction & Code Set Rules -✓✓Outlined in 45 CFR 162.100 - 162.1902, these
rules specify the data flows for healthcare transactions.
• Protected Health Information (PHI) -✓✓Information that is protected under HIPAA
regulations, which can be used or disclosed for treatment, payment, and operations
without specific authorization.
• Business Associate Contract -✓✓A contract required between a physician and a
laboratory for disclosing protected health information for treatment.
• Research use/disclosure with individual authorization -✓✓Authorization that does not
expire or continue until the end of the research study.
• Combination of authorizations -✓✓Research use/disclosure with individual
authorization may be combined with an authorization for a different research activity if
treatment is conditioned on it.
• Legal permission or consent in research -✓✓Research use/disclosure with individual
authorization may be combined with other legal permissions or consents to participate
in the research.
